From: Inside Counsel
White paper and upcoming event explore the changing role of the general counsel in regard to private sector cybersecurity
By Rich Steeves
Part of the philosophy behind the Department of Homeland Security’s “If You See Something, Say Something” campaign hinges on the idea that we are all collectively responsible for each other’s safety. It’s not just the responsibility of law enforcement to keep us secure, as it might have been in the past. This same paradigm shift is as true in the digital world as it is on the streets. Cybersecurity is no longer just the purview of IT departments, but rather the concern of entire organizations, from workers who bring their own devices to the office all the way up to the highest C-level executives, and this includes a crucial role for general counsels.
Not just an IT issue
These days, intellectual property and consumer data are among the most valuable commodities, and cyber criminals are doing everything in their power to steal as much of this information as possible. This type of theft has become one of the greatest legal risks to organizations, and many new laws have been passed to regulate the protection of this information.
Paul Williams, office managing partner at Major, Lindsey & Africa, explains:
A big part of the GC’s role is risk identification, analysis and management in an ever-increasing number of ways. An organization’s Compliance group, as well as its Privacy function, may report up through the Law Department. GCs, particularly those in consumer-facing companies, in public companies, those that contract with the government, and in companies with highly valued and protected public images, are increasingly called upon to help manage crises that arise from cyber attacks. As a public company director, I know that boards expect their GCs to provide real-time analysis and guidance on all components of risk mitigation, including Cybersecurity. In the digital age, news of these attacks (particularly those involving the theft of customers’ credit card, healthcare information, and other highly sensitive data) can go viral around the world within minutes, having an immediate effect on a brand’s reputation and standing in the marketplace. With regard to their organizations’ own intellectual property, GCs also sit squarely on the front lines in helping to ensure important business assets remain secure and that their risks – legal and otherwise – are kept at a minimum.
New legislation
One factor contributing to the urgency of cybersecurity initiatives is the increasing number of laws that have been passed in this area. The most prominent governmental mandate of recent vintage was the Improving Critical Infrastructure Cybersecurity Executive Order, signed by President Obama in February of this year.
The order calls for the National Institute of Standards and Technology to develop a standardized cybersecurity preparedness and response plan – a framework that is being developed with input from the private sector. A draft of the framework is due in October and should be finalized by February of 2014. As companies develop their own cyber plans around this framework, it is imperative that general counsel be involved in the process, as the plan will establish disclosure and compliance guidelines that will be followed in the event of a breach.
Sherrie Farrell, office managing partner, Detroit and Diversity Committee Chair, Dykema, explains the relevance of this order as it relates to general counsel:
The Cybersecurity Executive Order, first and foremost, is a critical recognition of the growing importance of cybersecurity issues in both public and private sectors. It also is a recognition that these issues are continuing to evolve, and we must be proactive in implementing strategies to deal with them. The Cybersecurity Executive Order orders the creation and release of a federal government-supported cybersecurity best practices model (known as the “Framework”). Although adoption of the Framework is voluntary, the federal government’s focus on identifying, implementing and partnering with public and private sector businesses certainly should signal heightened awareness for general counsel. For example, groups of businesses and lawyers regularly have been working with the government to determine the best practices. The findings of these workshops will be made public. Likely, GC will find that their organizations could benefit from these best practices.
This spring, Congress passed several pieces of legislation focused on ways the federal government can bolster cybersecurity. It would behoove general counsel to follow these and future laws to keep up to date on compliance obligations.
Prosecution and Protection
Typically, general counsels play an important role in the criminal prosecution of cyber attacks. They help determine if prosecution makes sense, in terms of whether it is in a company’s best interest and if it is even possible.
Furthermore, general counsels can help create and maintain cybersecurity measures to help protect a company’s data. GCs can lead the way by:
Leave a Reply